hulud

The first malware, Shai Hulud 2, exfiltrates credentials from the infected dev machine to new public GitHub repositories.

The HN frontpage has a Shai-hulud attack that would have been foiled by running (infected) code in a container.

Shai Hulud exploited Bun runtime APIs and legitimate GitHub API traffic to evade Node focused scanners.

We've seen similar patterns in the last 6 months — Zapier's npm account (425 packages, Shai Hulud malware) and Dify's React2Shell incident both followed the same vector: a trusted package maintainer account as the entry point.

The issues we see with left-pad and shai-hulud, have never and will never happen to me using those packages because they simply do not accept the kinds of garbage people put up on npm, or brew apparently as you pointed out.

Claude's built-in sandbox allows read-only access everywhere, which means Shai-Hulud-style malware can still read ~/.ssh and ~/.aws or private folders.

Not sure if this is meant to be sarcastic but isn't Posthog patient zero of Sha1-Hulud 2.0?

Docker Hardened Images integrate Socket Firewall, which provides protection from threats like Shai-Hulud during build steps.

Shai Hulud, the chalk and debug hijack, and S1ngularity all spread before any advisory existed.

Includes real attack case studies (Ultralytics, GhostAction, Shai-Hulud) and a phased roadmap for adoption.

One of CZ's tweets hints at an insider threat, but Trust Wallet was one of the GitHub organizations pwned by Sha1 Hulud.

I had this idea after the Shai-Hulud attack It's an experimental side project, but so far it looks very promising.

In Python's case, as the article describes quite clearly, the issue is that the design of "working software" (particularly setup.py) was bad to the point of insane (in much the same way as the NPM characteristics that enabled the recent Shai Hulud supply chain attacks, but even worse).

All of the recent “Shai-Hulud” attack waves leveraged build-time execution, since it’s a reliable way to actually execute code on a target (unlike putting the payload in the dependency itself, since the dependency’s own code might not run until much later.) Sandboxing would be a useful layer of defense, but it’s not a trivial one to add to ecosystems where execution on the host is already the norm and assumption.

At some point when you go to extreme lengths to pick the softest wording possible you yourself become an accomplice, they didn't "summon", that word is better for fantasies where they summon spirits or beasts like shai-hulud, here the fitting word would be "forced" as in "Iran government forces families of exiled journalists to stop any criticism against them"

Claude's built-in sandbox allows read-only access everywhere, which means Shai-Hulud-style malware can still read ~/.ssh and ~/.aws or private folders.

Not sure if this is meant to be sarcastic but isn't Posthog patient zero of Sha1-Hulud 2.0?

Docker Hardened Images integrate Socket Firewall, which provides protection from threats like Shai-Hulud during build steps.